Stronger Security and Constructions of Multi-designated Verifier Signatures

Damgård, Ivan; Haagh, Helene; Mercer, Rebekah; Nitulescu, Anca; Orlandi, Claudio; Yakoubov, Sophia

doi:10.1007/978-3-030-64378-2_9

Stronger Security and Constructions of Multi-designated Verifier Signatures

Ivan Damgård¹⁰,
Helene Haagh¹⁰,
Rebekah Mercer¹¹,
Anca Nitulescu¹⁰,
Claudio Orlandi¹⁰ &
Sophia Yakoubov¹⁰

Conference paper
First Online: 09 December 2020

365 Accesses
5 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12551)

Abstract

Off-the-Record (OTR) messaging is a two-party message authentication protocol that also provides plausible deniability: there is no record that can later convince a third party what messages were actually sent. The challenge in group OTR, is to enable the sender to sign his messages so that group members can verify who sent a message (signatures should be unforgeable, even by group members). Also, we want the off-the-record property: even if some verifiers are corrupt and collude, they should not be able to prove the authenticity of a message to any outsider. Finally, we need consistency, meaning that if any group member accepts a signature, then all of them do.

To achieve these properties it is natural to consider Multi-Designated Verifier Signatures (MDVS). However, existing literature defines and builds only limited notions of MDVS, where (a) the off-the-record property (source hiding) only holds when all verifiers could conceivably collude, and (b) the consistency property is not considered.

The contributions of this paper are two-fold: stronger definitions for MDVS, and new constructions meeting those definitions. We strengthen source-hiding to support any subset of corrupt verifiers, and give the first formal definition of consistency. We build three new MDVS: one from generic standard primitives (PRF, key agreement, NIZK), one with concrete efficiency and one from functional encryption.

This research was supported by: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 669255 (MPCPRO) and No 803096 (SPEC); the Danish Independent Research Council under Grant-ID DFF-6108-00169 (FoCC); the NSF MACS project.

This is a preview of subscription content, access via your institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Learn about institutional subscriptions

Notes

1.
Ring signatures [RST01] can be similarly used in this context; \(\mathsf {S}\)ophia could use a ring signature scheme to sign in such a way that anyone could verify that the signature came from someone in her organization, but not that it came from her, specifically. However, MDVS has an advantage here, since it is possible that \(\mathcal {A}\)aron only doubts the trustworthiness of one of his colleagues; if \(\mathsf {S}\)ophia uses a ring signature, that signature would convince \(\mathcal {A}\)aron that she was the signer, but if she uses an MDVS signature, \(\mathcal {A}\)aron wouldn’t know whether she was the true signer, or whether the signature was just a simulation (even if \(\mathsf {S}\)ophia was his only suspect).
In the context of a group off-the-record conversation, MDVS signatures are clearly the right tool, as members of the group should learn the identity of the sender of each message.
2.
One previous work [Tia12] allows a single verifier to simulate a signature. However, in this construction a simulated signature created by a malicious verifier will look like a real signature for all other designated verifers, violating unforgeability.
3.
Note that privacy of identities is related to—but very different from—off-the-record. Neither of these definitions is strictly stronger than the other. Privacy of identities is weaker in that it assumes that none of the \(\mathsf {R}\)eporters help in identifying \(\mathsf {S}\)ophia as the sender, while off-the-record makes no such assumptions. However, privacy of identities is stronger in that it requires that \(\sigma \) alone reveal nothing about \(\mathsf {S}\)ophia’s identity to anyone other than the \(\mathsf {R}\)eporters; off-the-record allows such leakage, as long as it is not provable.
4.
This trusted authority can also be distributed; perhaps the master secret is secret-shared across several different institutions, who must collaborate in order to produce a secret verification key.
5.
If only one designated verifier can simulate a signature, it must be distinguishable from a real signature by other verifiers (by the strong unforgeability property). Two colluding verifiers would be able to prove to an outsider that a given signature is not a simulation by showing that it verifiers for both of them. So, any-subset simulation gives strictly stronger off-the-record guarantees than one-verifier simulation.
6.
Note that when all designated verifiers are needed for the simulation, then a designated verifier will be able to distinguish a simulation from a real signature based on whether he participated in the simulation of the signature. However, if this is the only way he can distinguish, then the signature scheme has weak unforgeability, since the simulated signature is still a valid forgery.
7.
Note that our construction from standard primitives does make use of MAC schemes; however, it does so in a complex, non-black-box way.
8.
Simply proving that all of the signatures verify would violate the off-the-record property; instead, the signer proves that either all of the signatures are real, or they are all simulated, as described in Sect. 3.
9.
The group G will be used in the construction of the PSDVS scheme.
10.
This set-up need to keep the factorization of n secret. Hence, to avoid relying on a trusted party, the parties can use an interactive protocol to generate n securely, there are several quite efficient examples in the literature.
11.
\(k\) can be computed using the standard “discrete log” algorithm from Paillier decryption.
12.
The original CDRA assumption does not have the restriction to Jacobi symbol 1, but since the Jacobi symbol is easy to compute without the factors of n, the two versions are equivalent.
13.
We assume that the mapping \(i\rightarrow ({ssk}_i,{spk}_i)\) is unique in the system. This can be achieved without loss of generality by pseudorandomly generating the randomness required in the key generation process from the identity i and the master secret key.
14.
We assume that the mapping \(j\rightarrow ({vsk}_j,{vpk}_j)\) is unique in the system. This can be achieved wlog by pseudorandomly generating the randomness required in the key generation process from the identity j and the master secret key.

References

Ananth, P., Vaikuntanathan, V.: Optimal bounded-collusion secure functional encryption. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 174–198. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_8
CrossRef Google Scholar
Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, pp. 77–84. ACM (2004)
Google Scholar
Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_19
CrossRef Google Scholar
Chaum, D.: Private signature and proof systems. US Patent 5,493,614 (1996)
Google Scholar
Chang, T.Y.: An ID-based multi-signer universal designated multi-verifier signature scheme. Inf. Comput. 209(7), 1007–1015 (2011)
MathSciNet CrossRef Google Scholar
Chow, S.S.M.: Identity-based strong multi-designated verifiers signatures. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 257–259. Springer, Heidelberg (2006). https://doi.org/10.1007/11774716_23
CrossRef Google Scholar
Chow, S.S.M.: Multi-designated verifiers signatures revisited. IJ Netw. Secur. 7(3), 348–357 (2008)
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_11
CrossRef Google Scholar
Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_13
CrossRef Google Scholar
Li, Y., Susilo, W., Mu, Y., Pei, D.: Designated verifier signature: definition, framework and new constructions. In: Indulska, J., Ma, J., Yang, L.T., Ungerer, T., Cao, J. (eds.) UIC 2007. LNCS, vol. 4611, pp. 1191–1200. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73549-6_116
CrossRef Google Scholar
Laguillaumie, F., Vergnaud, D.: Multi-designated verifiers signatures. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 495–507. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30191-2_38
CrossRef Google Scholar
Laguillaumie, F., Vergnaud, D.: Multi-designated verifiers signatures: anonymity without encryption. Inf. Process. Lett. 102(2–3), 127–132 (2007)
MathSciNet CrossRef Google Scholar
Marlinspike, M.: Advanced cryptographic ratcheting (2013)
Google Scholar
Ming, Y., Wang, Y.: Universal designated multi verifier signature scheme without random oracles. Wuhan Univ. J. Nat. Sci. 13(6), 685–691 (2008). https://doi.org/10.1007/s11859-008-0610-6
MathSciNet CrossRef Google Scholar
Ng, C.Y., Susilo, W., Mu, Y.: Universal designated multi verifier signature schemes. In: 11th International Conference on Parallel and Distributed Systems, ICPADS 2005, Fuduoka, Japan, 20–22 July 2005, pp. 305–309 (2005)
Google Scholar
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
CrossRef Google Scholar
Seo, S.-H., Hwang, J.Y., Choi, K.Y., Lee, D.H.: Identity-based universal designated multi-verifiers signature schemes. Comput. Stand. Interfaces 30(5), 288–295 (2008)
CrossRef Google Scholar
Shailaja, G., Kumar, K.P., Saxena, A.: Universal designated multi verifier signature without random oracles. In: 9th International Conference in Information Technology, ICIT 2006, Bhubaneswar, Orissa, India, 18–21 December 2006, pp. 168–171 (2006)
Google Scholar
Tian, H.: A new strong multiple designated verifiers signature. IJGUC 3(1), 1–11 (2012)
CrossRef Google Scholar
Vergnaud, D.: New extensions of pairing-based signatures into universal designated verifier signatures. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 58–69. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_6
CrossRef Google Scholar
Zhang, Y., Au, M.H., Yang, G., Susilo, W.: (Strong) multi-designated verifiers signatures secure against rogue key attack. In: Xu, L., Bertino, E., Mu, Y. (eds.) NSS 2012. LNCS, vol. 7645, pp. 334–347. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34601-9_25
CrossRef Google Scholar
Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) \(\ll \) cost(signature) + cost(encryption). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234
CrossRef Google Scholar

Download references

Author information

Authors and Affiliations

Aarhus University, Aarhus, Denmark
Ivan Damgård, Helene Haagh, Anca Nitulescu, Claudio Orlandi & Sophia Yakoubov
O(1) Labs, San Francisco, USA
Rebekah Mercer

Authors

Ivan Damgård
View author publications
You can also search for this author in PubMed Google Scholar
Helene Haagh
View author publications
You can also search for this author in PubMed Google Scholar
Rebekah Mercer
View author publications
You can also search for this author in PubMed Google Scholar
Anca Nitulescu
View author publications
You can also search for this author in PubMed Google Scholar
Claudio Orlandi
View author publications
You can also search for this author in PubMed Google Scholar
Sophia Yakoubov
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anca Nitulescu .

Editor information

Editors and Affiliations

Cornell Tech, New York, NY, USA
Prof. Rafael Pass
Institute of Science and Technology Austria, Klosterneuburg, Austria
Krzysztof Pietrzak

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Damgård, I., Haagh, H., Mercer, R., Nitulescu, A., Orlandi, C., Yakoubov, S. (2020). Stronger Security and Constructions of Multi-designated Verifier Signatures. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_9

Download citation

DOI: https://doi.org/10.1007/978-3-030-64378-2_9
Published: 09 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64377-5
Online ISBN: 978-3-030-64378-2
eBook Packages: Computer ScienceComputer Science (R0)

Published in cooperation with
International Association for Cryptologic Research